Windows Analysis Report
setup.exe

Overview

General Information

Sample name: setup.exe
Analysis ID: 1465684
MD5: 1b898df684811054d405e9c31fddd80a
SHA1: 9a322fd8e07427ce716f0dd9210ff563091e32de
SHA256: 7386925178799b6b5a78e550ab756eedb61bb62adc8db66623f4a60dff30fe92
Tags: exeRedLineStealer
Infos:

Detection

RedLine
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
.NET source code contains very large strings
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: setup.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "141.94.188.138:46419", "Bot Id": "pon"}
Multi AV Scanner detection for submitted file
Source: setup.exe ReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: setup.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: setup.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb9 source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2899543825.00000000055FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbd source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 141.94.188.138:46419
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 141.94.188.138:46419
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 141.94.188.138 141.94.188.138
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: unknown TCP traffic detected without corresponding DNS query: 141.94.188.138
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/AckRequested
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequence
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequenceResponse
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequence
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequenceResponse
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/SequenceAcknowledgement
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequence
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequenceResponse
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/fault
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512#BinarySecret
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Cancel
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Renew
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issueh
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Cancel
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Renew
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Aborted
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Commit
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Committed
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Completion
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Durable2PC
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Prepare
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Prepared
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/ReadOnly
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Replay
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Rollback
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Volatile2PC
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/fault
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContext
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContextResponse
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/Register
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/RegisterResponse
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/fault
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmd
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyD
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/8
Source: setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/ConfirmLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/ConfirmResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/InitDisplayLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/InitDisplayResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/InitLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/InitResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartBrowsersLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartBrowsersResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartColdWalletsLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartColdWalletsResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartDefendersLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartDefendersResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartDiscordLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartDiscordResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartFtpConnectionsLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartFtpConnectionsResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartHardwaresLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartHardwaresResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartInstalledBrowsersLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartInstalledBrowsersResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartInstalledSoftwaresLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartInstalledSoftwaresResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartLanguagesLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartLanguagesResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartNordVPNLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartNordVPNResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartOpenVPNLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartOpenVPNResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartProcessesLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartProcessesResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartProtonVPNLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartProtonVPNResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartScannedFilesLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartScannedFilesResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartSteamFilesLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartSteamFilesResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartTelegramFilesLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/PartTelegramFilesResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponseX
Source: setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Endpoint/h
Source: setup.exe, 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
Source: Process Memory Space: setup.exe PID: 6868, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
.NET source code contains very large strings
Source: setup.exe, Option.cs Long String: Length: 151576
Detected potential crypto function
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05263F30 0_2_05263F30
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05263F20 0_2_05263F20
Sample file is different than original file name gathered from version info
Source: setup.exe, 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOverpaints.exe4 vs setup.exe
Source: setup.exe, 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameOverpaints.exe4 vs setup.exe
Source: setup.exe, 00000000.00000002.2897450427.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs setup.exe
Source: setup.exe, 00000000.00000000.1642969891.0000000000918000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRegAsm.exeT vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilenameRegAsm.exeT vs setup.exe
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
Source: Process Memory Space: setup.exe PID: 6868, type: MEMORYSTR Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.setup.exe.3d8f290.2.raw.unpack, BrEx.cs Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbg=='
Source: 0.2.setup.exe.53b0000.3.raw.unpack, BrEx.cs Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbg=='
Source: 0.2.setup.exe.3daaec0.0.raw.unpack, BrEx.cs Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbg=='
Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, BrEx.cs Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbg=='
Source: classification engine Classification label: mal96.troj.winEXE@2/0@0/1
Source: C:\Users\user\Desktop\setup.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03
Source: setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: setup.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: setup.exe ReversingLabs: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setup.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: setup.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb9 source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2899543825.00000000055FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbd source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\setup.exe Memory allocated: 1070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Memory allocated: 2C90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Memory allocated: 4C90000 memory reserve | memory write watch Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWWa
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\setup.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\Desktop\setup.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: setup.exe PID: 6868, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: setup.exe PID: 6868, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: setup.exe PID: 6868, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465684 Sample: setup.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 96 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 6 other signatures 2->19 6 setup.exe 3 2->6         started        process3 dnsIp4 11 141.94.188.138, 46419, 49730, 49737 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 6->11 9 conhost.exe 6->9         started        process5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
141.94.188.138
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese true